Month: November 2015

What is Identicon?

An Identicon is a visual representation of a hash value, usually of an IP address, that serves to identify a user of a computer system as a form of avatar while protecting the users’ privacy. The original Identicon was a 9-block graphic, and the representation has been extended to other graphic forms by third parties.

You want the world to see your website, and we can help. Start targeting over 200 global markets* with a Website Card today:
Whether you have an eCommerce shop, a blog, or a landing page — Website Cards guide the right audience from their timeline to your site in a single click.

In Zend Framework, Zend_Captcha_Word (v1) and ZendCaptchaWord (v2)
generate a "word" for a CAPTCHA challenge by selecting a sequence of random
letters from a character set. Prior to this advisory, the selection was
performed using PHP’s internal array_rand() function. This function does not
generate sufficient entropy due to its usage of rand() instead of more
cryptographically secure methods such as openssl_pseudo_random_bytes(). This
could potentially lead to information disclosure should an attacker be able to
brute force the random number generation.

Action Taken

The code used to randomly select letters was updated as follows:

In Zend Framework 1.12.17, the methods randBytes() and randInteger() were
added to Zend_Crypt_Math. Zend_Captcha_AbstractWord was updated to useZend_Crypt_Math::randInteger() instead of array_rand() when selecting
letters for the CAPTCHA word.

In the package zendframework/zend-captcha 2.4.9/2.5.2 and Zend Framework
2.4.9, ZendCaptchaAbstractWord was updated to useZendMathRand::getInteger() instead of array_rand() when selecting
letters for the CAPTCHA word.

The following releases contain the fixes:

Zend Framework 1.12.17

Zend Framework 2.4.9

zend-captcha 2.4.9

zend-captcha 2.5.2

Recommendations

This patch is considered a security hardening patch, and as such, was not
assigned a CVE identifier.

Regardless, if you use one of the word-based CAPTCHA adapters in Zend Framework
1 or 2, we recommend upgrading to 1.12.17, 2.4.9, or zend-captcha 2.4.9/2.5.2.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and
working with us to help protect its users:

ZendCryptPublicKeyRsaPublicKey has a call to openssl_public_encrypt()
which uses PHP’s default $padding argument, which specifiesOPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has
a known vulnerability, the Bleichenbacher’s chosen-ciphertext attack,
which can be used to decrypt arbitrary ciphertexts.

Action Taken

ZendCryptPublicKeyRsaPublicKey::encrypt() was updated to accept an
additional argument, $padding; the default value for this argument was set
to OPENSSL_PKCS1_OAEP_PADDING.

ZendCryptPublicKeyRsaPrivateKey::decrypt() was updated to accept an
additional argument, $padding; the default value for this argument was set
to OPENSSL_PKCS1_OAEP_PADDING.

ZendCryptPublicKeyRsa::encrypt() was updated to accept an additional
optional argument, $padding, allowing the user to specify the padding to use
with PublicKey::encrypt().

ZendCryptPublicKeyRsa::decrypt() was updated to accept an additional
optional argument, $padding, allowing the user to specify the padding to use
with PrivateKey::decrypt().

The above changes represent a backwards-compatibility break, but were necessary
to prevent the outlined vulnerability. If you were usingZendCryptPublicKeyRsa previously, you will likely need to re-encrypt any
data you’ve previously encrypted to use the new padding. This can be done as
follows:

All requests to the API are signed with HTTP Basic Authentication, you just need an API token to get started. To get your API token, please login to your Inspectlet account and look under “API Credentials” on the Your Account page.

Private Browsing

Firefox won’t save things like your browsing history, searches or cookies, but it will keep new bookmarks and files you download.

As you browse the web, Firefox remembers lots of information for you – like the sites you’ve visited. There may be times, however, when you don’t want people with access to your computer to see this information, such as when shopping for a present. Private Browsing allows you to browse the Internet without saving any information about which sites and pages you’ve visited.

•“In Case You Missed It” (aka #ICYMI) is a daily clip show designed to dig up the offbeat and interesting stories that get buried by the biggest headlines. We’ll bring you space and tech news, as well as internet lifestyle funk, and we’ll round out each week’s show with a headline blast to bring you the big stories you might have missed.